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Abstract: A verification method for distributed systems based on decoupling forward 
and backward behaviour is proposed. This method uses an event structure based algorithm 
that, given a CCS process, constructs its causal compression relative to a choice of ob- 
servable actions. Verifying the original process equipped with distributed backtracking on 
non-observable actions, is equivalent to verifying its relative compression which in general 
is much smaller. We call this method Declarative Concurrent Programming (DCP). 

DCP technique compares well with direct bisimulation based methods. Benchmarks 
for the classic dining philosophers problem show that causal compression is rather efficient 
both time- and space-wise. State of the art verification tools can successfully handle more 
than 15 agents, whereas they can handle no more than 5 following the traditional direct 
method; an altogether spectacular improvement, since in this example the specification size 
is exponential in the number of agents. 
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Resume : Nous proposons une methode de verification pour les systemes distribues base 
sur la distinction entre comportement avant et arriere d'un systeme transactionnel. Cette 
methode utilise un algorithme base sur les structures d'evenements qui, etant donne un 
processus CCS, construit son systeme de transition causal relatif a un ensemble d'actions 
observables. La verification du processus CCS d'origine, equipe d'un mecanisme de retour 
arriere sur les transitions non observables, revient a verifier la correction du systeme de 
transitions causales du processus qui est en general beaucoup plus petit. Cette methode est 
appelee programmation concurrente declarative (PCD). 

Les performances de la PCD comparees aux performances des techniques traditionnelles 
de bisimulation donnent des resultats encourageants. Un banc d'essai utilisant le probleme 
classique du diner des philosophes montre que la PCD est plus efiicace que la methode 
directe, a la fois en terme de temps et d'espace de calcul requis. En effet, les outils standard 
de bisimulation peuvent verifier des systemes allant au dela de 15 philosophes dans le cas de la 
PCD, alors qu'ils ne peuvent gerer plus de 5 philosophes avec un approche de programmation 
directe. Cet amelioration des performances est d'autant plus spectaculaire que la taille du 
systeme de specification des philosophes est exponentielle dans le nombre d'agents. 

Mots-cles : Algebres de processus, transactions, structures d'evenements, verification, 
bisimulation 
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1 Introduction 

Backtracking is commonplace in transactional systems where different components, such 
as processes accessing a distributed database, need to acquire a resource simultaneously. 
To ensure unconditional correctness of the overall execution of the transaction, one usually 
provides a code that incorporates explicit escapes from those cases where a global consensus 
cannot be met. Such an upfront method generates a large and unstructured state space, 
which often means verification based on proving that the code is bisimilar to a reference 
specification becomes unfeasible. 

Based on earlier work, we propose here an indirect verification method, and show on an 
example that it can handle larger specifications. The idea is to break down the distributed 
implementation of a given reference specification in two steps. First, one writes down a 
code which is only required to meet a weaker condition of causal or forward correctness 
relative to the specification. This condition is parameterised by a choice of observable actions 
corresponding to the actions of the specification. Second, the obtained code is equipped with 
a generic form of distributed backtracking on non-observable actions. A general theorem 
reduces the correctness of the latter partially reversible code to the causal correctness of the 
former [1]. 

In many transactional examples, this structured programming method works well, and 
obtains codes which are smaller, and simpler to understand [2]. It also seems interesting 
from a correctness perpective, since one never has to deal with the full state space, and it 
is enough to consider the much smaller state space of the forward code causal compression 
relative to observable actions. Thus it obtains codes which are also easier to prove correct. 
It is only natural then to ask whether and to which extent such indirect correctness proofs 
can be automated. This is the question we address in this paper. 

Specifically we propose an algorithm, which, under certain rather mild assumptions about 
the system of interest, will compute its causal compression relative to a choice of observables. 
The true concurrency semantics tradition of using event structures as an intrinsic process 
representation comes to the rescue here. Indeed, event structures provide a representation 
of computation traces up to trace equivalence, and therefore reduce redundancy during the 
search of the compression. Besides event structures are uniquely suited to the handhng of 
causal relationships between various events triggered by a process [3]. For these reasons 
our procedure includes a translation of the process as a recursive fiow event structure, 
and computes the relative causal compression on this intermediate representation. The 
algorithm also relies on a compact representation of the confiict relation between events, and 
seems to perform well both space- wise, obtaining a much smaller state space, and time- wise. 
Benchmarks given for the classical example of the dining philosophers show a significant 
state compression, and a relatively low cost incurred by compression. Direct programming 
generates a state space that is already too big for being constructed by bisimulation verifiers 
for 6 agents, whereas our method can go well beyond 15. 

The language we use to formaHze concurrent systems is the Calculus of Communicat- 
ing Systems (CCS) [4]. This is a sHghtly more expressive language than basic models of 
communicating automata, in that processes can dynamically fork. On the other hand, this 
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Processes p, q 



P I q 
p + q 



{x)p 




a.p 



D{i) ■.= p 



Action prefixing 
Parallel composition 
Choice 
Recursive definition 
Name restriction 
Empty process 



Actions 



a 



x,y,... 
x,y,... 



Input 
Output 
Silent action 



r 



Figure 1: CCS syntax 



communication model includes no name-passing, which is a severe limitation in some ap- 
plications. As is discussed further in the conclusion it is possible to adapt the present 
development, which is largely independent of the chosen communication model, to richer 
languages such as 7r-calculus. 

Section 2 starts with a quick recall of CCS [4]. Section 3 develops its reversible variant 
RCCS, together with the central notion of causal correctness, and the fundamental result 
connecting causal correctness of a CCS process and full correctness of its lifting as a partially 
reversible process in RCCS [1]. The relative causal compression algorithm, and the accom- 
panying verification method are explained in Section 4. Section 5 compares this method 
with the traditional direct method, using the dining philosphers problem as a benchmark. 
The conclusion discusses related work and further directions. 



2.1 Syntax 

CCS processes interact through binary communications on named channels: an output on 
channel x is written x, an input on the same channel is simply written x. The complete 
syntax is given in Fig 1. 

We write P for the set of processes, A for the set of actions, and A* for the free monoid 
of action words. Restriction {x)p binds x in p and the set of free names of p is defined 
accordingly. In a recursive definition D{x) := p free names oi p have to be x. 

2.2 Operational semantics 

A labelled transition system (LTS) is a tuple {S, s, L, where S is called the state space, 
s the initial state, L the set of labels, and C S x L x S the transition relation. One uses 
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a.p + q-^aP 



(act) 



\ 7T-, — (synch) 

Piq-^rp' \q' 

P^aP' a^{x,x} 

{X)p {X)p' ^'"'^ 



P^aP 



P\q^aP' \q 

p = p' ^aq' ^ q 



-(par) 



P^aq 



(equiv) 



Figure 2: CCS labelled transition system 



the common notation s — >a and for m = ai . . . a„ G A*, s — s-J^ t means s — si, . . . , 
Sn-i ^a„ t for some states si, . . . , s„_i. 

The operational semantics of a CCS term p is given by means of such an LTS {P,p, A, — >), 
written TS(p), where is given inductively by the rules in Fig 2. The equivalence relation 
= is the classical structural congruence for choice and parallel composition, together with 
the recursion unfolding rule {D{x) := p) = p. 

2.3 Process equivalence 

Several variants of observational equivalence for CCS processes have been considered. We 
use here a variant of weak bisimulation based on the choice of a countable distinguished 
subset K of the set of actions A, which we fix here once and for all. Actions in K are called 
observable actions. The complement A\K o{ non-observable actions is denoted by K'^ and 
also taken to be countable. 

Let Si = {Si,si,A, — >) and ^2 = (^2, S2, A, — >) be LTSs both with labels in A, a relation 
TZ over x 5*2 is said to be a weak simulation between Si, S2, if si TZ S2 and whenever 
Pi TZp2-- 

— if Pi qi, o, e K", then p2 92 with m G (K'')* , and qi TZ 92; 

— if Pi -^a qi, a e K, then p2 -^J^ 92 with m G (K'')*a{K'^)* , and qi TZ q2- 

The idea is that ^2 has to simulate the behaviour of Si regarding observable actions, but 
is free to use any sequence of non observable ones in so doing. Such a relation TZ is said to 
be a weak bisimulation if both TZ and its inverse TZ~^ are weak simulations. When there is 
such a relation, Si and 1S2 are said to be bisimilar, and one writes Si ^ S2. 

A CCS process p is said to be a correct implementation of a specification LTS S, if 
TS{p) ~ S. When the specification is clear from the context, we may simply say p is correct. 
One thing to keep in mind is that all these definitions are relative to a choice of K. Usually, 
K is taken to be ^ \ {r}, but this more flexible deflnition will prove convenient. 
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3 Reversible CCS 

We turn now to a quick intuitive introduction to RCCS. Consider the following CCS process: 

(a;)(x I X I x.x.a.p \ x.x.b.q) (1) 

Both subprocesses a.p and h.q require two communications on x to execute, so the whole 
process may reach a deadlocked state {x){x.a.p \ x.b.q) where neither a nor b may be 
triggered. If the intention is that the system implements the mutual exclusion process 
a.p + b.q, a possible fix is to give both subprocesses the possibility to release x: 

{x){x I X I Rp{x,a) I Rq{x,a)) (2) 

with Rp{x, a) := x. {T.{Rp{x, a) \ x) + x.{T.{Rp{x, a) \ x \ x) + a-p)) ■ 

This example helps in realising two key things: first the original code (1) although not 
correct, is partially correct in the sense that any successful action a or 6 leads to a correct 
state p or g; second the proposed fix can be made an instance of a generic distributed 
backtracking mechanism. The idea of RCCS is to provide such a mechanism, in a way 
that partial or causal correctness (yet to be defined formally) in CCS, can be proved to be 
equivalent to full correctness of the same process once lifted to RCCS [5]. 

3.1 Syntax 

RCCS forward actions are the same actions as CCS, namely A. Recall these are split into 
K and its complement K'^. In the RCCS context actions in K are also called irreversible, or 
sometimes commit actions (following the transaction terminology); actions in K'^ are also 
called reversible, since these are the ones one wants to backtrack. RCCS therefore also has 
backward actions written a~, with a G K'^. 

RCCS processes are composed of threads of the form m>p, where m is a memory, and 
p is a plain CCS process: 

r ::~ m > p \ [r \ r) \ (x)r 
Memories are stacks used to record past interactions: 

m ::= {e,a,p) ■ m \ • to | () 

where 6* is a thread identifier drawn from a countable set. Open memory elements {0,a,p) 
are used for reversible actions and contain a thread identifier 6, the action last taken, and 
the alternative process that was left over by a choice if any. Closed memory elements are 
used for irreversible actions, and only contain an identifier. The prefix relation on memories 
is defined as to □ to' if there is an m" such that m" ■ m = m' . 

Processes are considered up to the usual congruence for parallel composition together 
with the following specific rules: 

TO > {D(x) := p) 
TO > (p I g) 

TO > {x)p 
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a e 9 ^ m , , a e K" , ^ 

(act) —(act* 



m> a.p + q {e,a,q) ■ m> p (e.a.q) ■ m> p m>a.p + q 

a e K ^ m , , 
-(commit) 



m l> k.p + q -^i, (|9|> ■ m\>p 

r r' x.x , , r = r' -^^ s' = s , . . 
(res) 1 (equiv) 

Figure 3: RCCS labelled transition system 



Any CCS process p can be lifted to RCCS with an empty memory £{p) := () > p, and 
conversely, there is a natural forgetful map ip erasing memories and mapping back RCCS to 
CCS. Clearly ip{£(j))) = p. When we want to insist that the lift operation is parameterised 
by the set K, we write ixip)- 

3.2 Operational semantics 

The operational semantics of RCCS is also given as an LTS with transitions given inductively 
by the rules in Fig 3. In the contextual rules 9 stands either for ov 9~ . The freshness of 
the thread identifier 9 is guaranteed by the side conditions ^ to in the (act) and (commit) 
rules, and 9 ^ s m the (par) rule. The use of such identifiers makes the presentation given 
here somewhat simpler than the earlier one [1]. Note that backtracking as defined in the 
operational semantics is a binary communication mechanism of exactly the same nature as 
usual forward communication. However, since threads are required to backtrack with the 
exact same thread with which they communicated earher, backtrack can be shown to be 
confiuent, at least for those processes that are reachable from the lifting of a CCS process. 

The (commit) rule uses a closed memory element i\e\) ■ m indicating that the information 
contained in to is no longer needed, since by definition actions in K are not backtrackable. 
Supposing r is a process where any recursive process definition is guarded by a commit, 
an assumption to which we will return later on, this bounds the total size of open memory 
elements in any process reachable from r. 

3.3 The fundamental property 

The question is now to see whether it is possible to obtain a characterisation of the behaviour 
of a lifted process £k{p) solely in terms of p. Intuitively, txip) being p enriched with 
a mechanism for escaping computations not leading to any observable actions, one might 
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think that £k {p) is bisimilar to the transition system generated by those traces of p which 
lead to an observable action. This is almost true. 

To give a precise statement, we need first a few notations and definitions. An RCCS 
transition as defined above is fully described by a tuple t = (r, a, 8, r') where r is the source 
oft, r' its target, a its label and 8 its identifier. If a G K we say that t is a commit transition, 
otherwise it is a reversible transition. If 6 = (8 = 0~) we say t is forward {backward). A 
trace is a sequence of composable transitions, and we write r — >* s {p ^* q) whenever a is 
an RCCS (CCS) trace with source r (p) and target s {q). A trace is said to be forward if it 
contains only forward transitions. 

A final and key ingredient is the notion of causality between transitions in a given forward 
trace. For CCS this is usually defined using the so-called proof terms [6], but one can also 
use RCCS memories. 

The set of memories involved in a forward transition t = (r, a, 6, r') is defined as ^(t) := 
{m G r I 3a, q : {e,a,q).m £ r'}; this is either a singleton, if no communication happened, or 
a two elements set, if some did. 

Definition 1 (Causality) Let cr : ii; . . . ; t„ be a forward RCCS trace: 

— ti and tj with i < j , are in direct causality relation, written ti <i tj if there is m ^ f^iti), 
m' € tJ-itj) such that m □ m'; one says that ti causes tj, written ti < tj, if ti <J tj. 

— a is said to be causal if for all transitions ti with i < n, ti < i„; it is said to be fc-causal 
if it is causal, its last transition tn is labelled with k G K , and all preceding transitions are 
labelled in K^. 

One extends this terminology to CCS traces by saying a CCS trace p — >* p' is causal, if it 
lifts to a causal trace (-k{p) with </?(?'') = p' . 

With the notion of causal trace in place, we can define the causal compression of a process 
p relative to K. 

Definition 2 (Relative causal compression) Let p be a CCS process, its causal com- 
pression relative to K, written CTSk(p), is the LTS {P,p, K, ^) where is defined as 
q q' if q — q' for some k-causal trace a. 

We are now ready to state the theorem that characterizes the behaviour of Ik (p) in terms 
of the simpler process p. 

Theorem 1 (Fundamental property [1]) Let TSk{p) {R,£k{p),A,^) be the LTS 

associated to the lift £k{p), TSk(p) ^ CTSa'(p). 

As said above, it is not true that T5k(j>) is bisimilar to the transition system of traces of 
p leading to observable actions, one has to be careful to restrict to causal traces. A trivial 
but useful rephrasing of this result is: 

Corollary 1 Let p be a CCS process, and S be its specification, if CTSk{p) ^ S then 

tK{p) - S. 
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In words, this says that to check the correctness of £k{p) with respect to S, it is enough to 
check the correctness of CTSk{p)- 

If one goes back to the example at the beginning of this section, this says that i{a.b} \ 
X I x.x.a.p I x.x.b.q)) is equivalent to a.p + b.q, as soon as the causal compression of 
p = {x)[x \ X \ x.x.a.p I x.x.b.q) relative to {a, 6} is. This is easily seen in this exam- 
ple, and in fact, as often in practice, CTSi<-(p) and S turn out to be equal. 

The interest of this fundamental property lies in the fact that the causal compression 
relative to K, CTSk{p), is significantly smaller than the partially reversible process ixip)- 
A natural question is therefore, given a process p, to compute C\Sk{p)- By finding an 
efficient way to do this, one would obtain an efficient verification procedure. This is the 
object of the next section. 

4 Causal compression 

A first idea to extract the causal transition system of a process p is to use the LTS generated 
by and screen off non causal traces. One cannot know however whether a trace can 
be extended into a /c-causal form until a commit is effectively taken, and such an approach 
would likely lead to both superfluous (because lots of traces will not be causal) and redundant 
(because of trace equivalence) computations. A more astute approach is to look only at traces 
that will eventually be in a fc-causal form. This requires a bottom up view of traces where 
one starts from commits inside a term, and then reconstructs causal traces triggering this 
commit by consuming its predecessors in every possible way. 

However, there is no need to work directly in the syntax, and event structures [3] provide 
exactly what is needed here: a truly concurrent semantics that abstracts from the interleav- 
ing of concurrent transitions, and more importantly an explicit notion of causality. Among 
the various types of event structures the most often considered are prime ones, because 
consistent runs can be simply characterized. Yet they lead to quite large data structures."' 
Our algorithm uses instead flow event structures (FES) [6, 7, 8]. On the one hand, there is 
a simple inductive translation of CCS terms into FESs that incurs no computational cost; 
on the other hand, FES are algorithmically convenient compact forms of event structures. 

We first explain how to extract the causal compression CTS_r- {p) from the translation of 
p into an FES. Then we discuss computational issues such as how to make this an algorithm, 
and how some of the apparent computational costs can be circumvented at the level of the 
implementation. 

4.1 Flow event structures 

A (labelled) fiow event structure is a tuple £ ~ {E, ^, #, A) where 
— £■ is a set of events, 

< <Z E X E is the flow relation which has to be irrefiexive, 

^Specifically in prime event structure causes of an event must be uniquely determined, and this forces 
duplication of the future of an event each time it is engaged in a synchronization. 
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Figure 4: FES representation of p := a.c.a.O \ a.O. Events are named after their labels when 
these are not ambiguous. 



— # C E X E is the conflict relation which is symmetric, 

— and X : E A a labelling function. 

The idea is that the flow relation gives all immediate possible causes of an event, while the 
conflict relation indicates a conflicting choice between two events. 

Definition 3 Let £ = {E, ^, A) be an FES, a set X C E is a conflguration of £, written 
X eC{£), if it is: 

— conflict free; # n (X x X) = 0, 

— cycle free; ^* / X is a partial order, 

— and left-closed up to conflicts; if e £ X and there is d £ E such that d -< e then either 
d € X or there exists f E X such that / ^ e and fifd. 

The last two conditions are the price to pay for working with FESs, and are not needed for 
prime ones. The flrst one will require some optimised structuring of the conflict relation, 
we'll return to this point soon. 

A configuration X in £ with e E X is e-minimal if Ve' £ X : e' ^* e. The set of 
e-minimal configurations is denoted hy C{£,e). 

There is an easy inductive translation u unfolding any CCS process into a FES [6], where 
events correspond to communications, and configurations are those subsets of events that 
a trace can trigger. We will not recall here this translation, and only give an example (see 
Fig. 4). The correctness of u is given by the following representation theorem: 

Theorem 2 ([7]) Let p he a CCS process, and T^{p) stand for the traces of p quotiented 
hy trace equivalence, then (7^{p),<) and {C{u{p)),C) are isomorphic. 

One can define a transition system out of an FES. To do this, we define £\X , the residual 
of £ by a configuration X in C{E). 

Definition 4 (Residual) Let £ = {E, \) he an FES, X he a configuration of £, and 
define X# := {e e E \ 3e' e X : e'#e}. The residual of E hy X is £\X := {E', -<', #') 
where: 

E' := E\{X\JX#) <':=<r\ {E' -K E') if' := if n (E' x E') 
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The LTS associated to £ = {E, #, A) has initial state £, and transition relation given by 
£' £" if X G C{£') and £" = £'\X. 

It is here that our reframing of the compression question in terms of event structures 
pays off, since to obtain the causal compression of the transition system above, all one 
has to do is to restrict labels to e-minimal configurations such that A(e) £ K . The causal 
LTS associated to £, written CTSk{£), has initial state £, and transition relation given by 
£' £" if there is an event e e E' such that £' ->x £" with X G C{£' , e) and A(e) G K. 
As a consequence of the representation theorem one gets: 

Lemma 1 Let p he a CCS process, then CTSa'(p) and CTSi<-(u(p)) are isomorphic. 

At that point, we have an equivalent definition of C\Sk{p) in terms of the FES and it 
remains to see how one can turn this definition into an algorithm. This is what we discuss 
now. 

4.2 Algorithmic discussion 

First, the unfolding u[p) is in general an infinite object even if we restrict to finite state 
processes. To keep with finite internal data structures, we require each recursive process 
definition to be guarded by a commit action. This seems a reasonable constraint, in that 
there is a priori no reason to model a transactional mechanism with a process that allows 
infinite forward inconclusive traces. 

To compute CTSk{u{p)), we use instead of u, a partial unfolding u-^" that coincides with 
u except it does not unfold any recursive definition. The constraint above ensures that every 
commit k that is reachable by a single causal transition can be seen by this partial unfolding. 
Only after triggering the event corresponding to fc, are the recursive calls guarded by k (if 
any) unfolded, and their translations by u^" added to the residual of the obtained event 
structure. One then checks whether the obtained residual event structure is isomorphic 
with some obtained previously, and adds it to the state space if not. Given a process p, the 
algorithm to compute CTSif proceeds as follows: 

0. £^{E,<,#,\) ■.= ufi^ip) 

1. For all e G such that A(e) G K, compute the e-minimal configurations X^, G C{£, e). 

2. For each such Xe build the residual £\Xe, with recursive definitions guarded by e 
unfolded using m^". 

3. Add the transitions £ —»k £\Xe to the CTS under construction. 

4. For each residual £\Xe not isomorphic to any previous one, set £ := £\Xe and goto 
step 1. 

By the representation theorem, this algorithm will terminate as soon as CTSk{p) is finite. 

In practice most of the isomorphism tests can be avoided by using a quite discriminative 
equality test between FES signatures which is linear in the number of events. Another 



RR n° 0123456789 



12 



Krivine 



efBciency problem one has to deal with is the internal representation of the conflict relation 
(which is involved in step 1 because of the conflict-free condition on configurations). In 
prime event structures conflict is inherited by causality, that is to say if e#e' and e' e", 
then e#e". Hence a rather compact way to represent conflict is to keep only (e,e') G # 
and deduce when needed that e#e" by heredity. We have found that a similar compact 
structure, which we call a conflict tree can be used for FESs. Conflict trees are built during 
process partial unfoldings, and result in a typically logarithmically compact representation 
of conflict, for a low computational cost. An example of a conflict tree is given Fig. 5: 
conflicts is predicated of intervals, and [n — m]#[n' — m'] means that any pair of events 
indexed within {n, . . . , m} x {n' , . . . , m'} is in conflict. 




Figure 5: Conflict tree of 03.(60 | C2 + di) + 64 



5 Causal module and tests 

The relative compression algorithm was implemented as an Ocaml [9] library Causal [10]. 
Having a library instead of an independent tool allows to use the underlying language that 
offers more construction primitives than CCS. Any interesting encoding needs parametric 
process deflnitions in order to deflne systems with varying number of agents, and our module 
offers simple CCS process constructors, so that one has a real programming language to build 
large processes. 

5.1 Benchmark 

To get a sense of how well our veriflcation technique performs compared with a straight 
bisimulation based veriflcation, we ran several tests^ using encodings of the dining philoso- 
phers problem. This timeless example of distributed consensus involves n philosophers eating 
together around a table. Each of them needs two chopsticks to start eating, and has to share 
them with his neighbours. When a philosopher has eaten, he releases his chopsticks after 
a while and goes back to the initial state. In the partial implementation, say Ppart, once a 

^Tests were made with an Intel Pentium 4 CPU 3.20GHz with 1GB of RAM. 
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philosopher takes a chopstick he never puts it back unless he has successfully eaten. In the 
fully correct one, say pfuU, he may release chopsticks at any time (thus avoiding deadlocks). 
The CCS processes Ppart and pfuU for n = 2 correspond roughly to the earher examples (1) 
and (2). (See [1] for a general definition and detailed study.) 

There are two main reasons for taking the dining philosophers example. First it is a 
paradigmatic example of distributed consensus, so the way to solve it without access to 
the scheduler (by adding additional semaphores for instance) has to involve backtracking. 
Second, it turns out that the number of possible states of the specification is given by a 
Fibonacci sequence^ 

5(1) = 1 5(2) = 3 S{n+l) = S{n) + S{n-1) 

This is convenient in that it gives a simple means to compare the time of computation with 
the size of the specification state space. Verifying correctness of p/uii using the Mobility 
Workbench (MWB) [11] (see Fig. 6) proved to be impossible beyond 5 philosophers (around 

200 r- 

180 - 
160 - 
140 - 
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80 - 
60 - 
40 - 
20 - 

ot 

Figure 6: Direct bisimulation test for pfuii- 

160 specification states) because of memory limitations. By using first the Causal module (see 
Fig. 7) to extract the causal transition system oippart, we could verify up to 19 philosophers 
(around 15, 000 specification states) within a time which stayed roughly proportional to the 
number of states. Since CTS{ppart) is in this case equal to the specification, the remaining 
part of the correctness proof takes negligible time (MWB needs 0.4s for 10 philosophers). 

6 Conclusion 

We have proposed a method for the verification of distributed systems which uses an algo- 
rithm of relative causal compression. The method does not always apply: the process one 
wants to verify must use a generic backtracking mechanism. This may seem a limitation, but 
it often obtains a much simpler code, and many examples of distributed transactions lend 

■'Thanks to Hubert Krivine (LPTMS) for showing us this nice result. 
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Figure 7: Relative causal compression using the Causal module. 



themselves naturally to this constraint. When the method does apply, however, it proves 
very effective as we have shown in the dining philosophers example. 

State space explosion in automated bisimulation proofs is a well known phenomenon, and 
trace compression techniques have been proposed to avoid the redundancy created by the 
interleaving of transitions [6, 12], and used in model-checking applications [13, 14]. These 
compressions preserve bisimilarity, whereas our does not, and is of a completely different 
nature. Besides, and because our algorithm uses event structures, we also cash in on this 
classical kind of compression. 

There is no reason why this verification method should be limited to CCS. Other con- 
current models can be equipped with backtracking, and forward and backward aspects of 
correctness can be split there as well. Recent work extends the concept of partially reversible 
computations to various process algebras [15], and it is possible to define an analogue of 
RCCS for the 7r-calculus. New advances in event structure semantics for 7r-calculus [16] 
might allow to extend the causal compression algorithm, so as to cover the important case 
of name-passing calcuH. 
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